unauthorized access to patient medical records
Unauthorized Access to Patient Medical Records

Hennepin County Medical Center (HCMC), the facility that treated George Floyd, fired 13 employees for unauthorized access to patient medical records. More details are discussed below.

Unauthorized Access to Patient Medical Records: What Happened

HCMC recently discovered that the medical records of George Floyd were illegally accessed by employees of the organization. HCMC first discovered the breach during its routine review of its access logs. Upon discovery of the HIPAA violation, the 13 employees that accessed the records illegally were fired. This included three nurses, a lab technician, a social worker, and a paramedic.

“It is the practice of the Hennepin Healthcare Information Privacy Department to conduct privacy access audits. Access to the Hennepin Healthcare electronic medical record by our workforce is tracked and logged, which supports our auditing efforts. Any breach of patient confidentiality is taken seriously and thoroughly investigated. If it is determined that a violation has occurred, disciplinary action up to and including termination can be used. Additionally, Hennepin Healthcare complies with federal information privacy regulations which require notification to patients about a confirmed privacy breach. To maintain patient confidentiality, we do not comment on specific cases.”

Hennepin County Medical Center

Unauthorized Access to Patient Medical Records: Why This is a HIPAA Violation

HIPAA requires organizations, and their employees, to only access PHI for treatment, payment, or healthcare operations. In addition, access to PHI must be in accordance with the minimum necessary standard. The minimum necessary standard states that employees should only have access to the protected health information (PHI) they require to perform their job. It also mandates that PHI access is limited to when access is necessary to perform a specific job function.

Since the employees in question accessed George Floyd’s medical records for purposes other than to perform their job, their access is considered unauthorized access to patient medical records.

Why Compliancy Group

HIPAA Compliance is an important part of your business, so why not use someone you can trust? Compliancy Group is the only compliance firm to be listed on both Inc. 2020 Best Places to Work and 2020 Inc. 5000 list of the fastest-growing private companies in America. By working with us, you are welcomed into the safety of our family.

Put your trust in us

How to Prevent Unauthorized Access to Patient Medical Records

There are certain measures that can be taken to prevent unauthorized access to patient medical records. It is unclear whether or not HCMC implemented these measures (beyond tracking access to PHI through audit logs), however, it is recommended that all healthcare organizations do to prevent similar incidents from occurring within their organizations. 

Access Controls.

Designate different levels of access to PHI based on their job roles. This prevents employees from accessing records that they shouldn’t be accessing. Although HCMC went as far as to admit George Floyd under a pseudonym, they likely didn’t limit access to his PHI to only the employees that needed access. Proper access controls would have prevented employees that were not treating George Floyd from accessing his records. 

Audit Logs.

Audit logs track access to PHI so that unauthorized access to PHI can be quickly detected. The implementation of audit logs is what allowed HCMC to determine that George Floyd’s records were accessed without authorization.

Employee Training.

To ensure that employees only access PHI to perform their job functions, employees must be trained on the proper uses and disclosures of PHI. It is unclear whether or not HCMC trained their employees on such, but if they did, employees ignored this training.

Do You Need Help With Employee Training?

Employee training can mean all the difference in your HIPAA compliance. Employees who are not properly trained are more likely to cause an insider breach. This is why Compliancy Group has created engaging employee training through the use of short animated videos, and quizzes that test employee knowledge. Throughout the training employees legally attest that they have read and understood the training material, instilling a culture of compliance within your organization.

Find out more about our HIPAA employee training!

let us help